Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 3699 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create AD-Users with API

Ben@Network

Hello Community,

I wrote some scripts to put objects, firewall rules, authentication servers and many more settings with API Calls to the XG v18 Firewalls. All of this works as expected. The only thing is that I can’t create Admin-Users for the firewalls, that uses Active Directory Authentication. My firewall has a AD-Connection to die Domain Controllers and I created a AD-User-Group on the firewall ("AdminUsers"). Now when I do the xml-Request I get only the error message: Operation could not be performed on Entity.

 

This is my Request:

<Request>

<Login>

   <Username>admin</Username>

   <Password passwordform='encrypt'>#encr_pass#</Password>

</Login>

<Set operation='add'>

<User>

<Username>user.name@dom.local</Username>

<Name>user.name@dom.local</Name>

<UserType>Administrator</UserType>

<EmailList>

  <EmailID> user.name@dom.de</EmailID>

</EmailList>

<Group>AdminUsers</Group>

<SurfingQuotaPolicy>Unlimited Internet Access</SurfingQuotaPolicy>

<AccessTimePolicy>Allowed all the time</AccessTimePolicy>

<SSLVPNPolicy>No Policy Applied</SSLVPNPolicy>

<ClientlessPolicy>No Policy Applied</ClientlessPolicy>

<ScheduleForApplianceAccess>All The Time</ScheduleForApplianceAccess>

<LoginRestrictionForAppliance>AnyNode</LoginRestrictionForAppliance>

<Profile>Administrator</Profile>

</User>

</Set>

</Request>

 

This is the response from the firewall:

<?xml version="1.0" encoding="UTF-8"?>

<Response APIVersion="1800.1" IPS_CAT_VER="1">

  <Login>

    <status>Authentication Successful</status>

  </Login>

  <User transactionid="">

    <Status code="500">Operation could not be performed on Entity.</Status>

  </User>

</Response>

 

Has anybody an idea what is wrong with my request?

 

Thanks,

Ben



This thread was automatically locked due to age.
Parents
  • 0

    Seems something is missing with your request.

    Could you either check the /log/apiparser.log and /log/applog.log ? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello LuCar Toni,

    I Checked the apiparser.log and found some missing parts in the request (but the API Documentation said that these are optional values). 

    LuCar Toni said:

    Seems something is missing with your request.

    Could you either check the /log/apiparser.log and /log/applog.log ? 

     

     

     

    <Set operation='add'>
    <User>
    <Username>user.name@dom.local</Username>
    <Name>user.name@dom.local</Name>
    <Description/>
    <Password/>
    <LoginRestriction/>
    <SimultaneousLoginsGlobal/>
    <IsEncryptCert/>
    <MACAddressList>
    <MACAddress>00:00:00:00:00:00</MACAddress>
    </MACAddressList>
    <UserType>Administrator</UserType>
    <EmailList>
    <EmailID>user.name@dom.de</EmailID>
    </EmailList>
    <Group>AdminUsers</Group>
    <SurfingQuotaPolicy>Unlimited Internet Access</SurfingQuotaPolicy>
    <AccessTimePolicy>Allowed all the time</AccessTimePolicy>
    <DataTransferPolicy/>
    <QoSPolicy/>
    <SSLVPNPolicy>No Policy Applied</SSLVPNPolicy>
    <ClientlessPolicy>No Policy Applied</ClientlessPolicy>
    <Status>Active</Status>
    <L2TP>Enable</L2TP>
    <PPTP>Enable</PPTP>
    <CISCO>Disable</CISCO>
    <QuarantineDigest>Disable</QuarantineDigest>
    <MACBinding>Disable</MACBinding>
    <ScheduleForApplianceAccess>All The Time</ScheduleForApplianceAccess>
    <LoginRestrictionForAppliance>AnyNode</LoginRestrictionForAppliance>
    <Profile>Administrator</Profile>
    <L2TPIp/>
    <PPTPIp/>
    </User>
    </Set>
    </Request>

    The request still fails with this error (and I see no user on the WebAdmin): 

    <Status code="500">Operation could not be performed on Entity.</Status>

     

    When I look into the /log/apiparser.log it seems that everything is OK:

    INFO Mar 10 09:22:32 [18295]: Start Login Handler,Component : Login
    ERROR Mar 10 09:22:32 [18295]: Key:ISCrEntity is not found in RequestMap File for Login.
    INFO Mar 10 09:22:32 [18295]: Mapping file for Login component is /_conf/csc/IOMappingFiles//1800.1/Login/Login.xml
    ERROR Mar 10 09:22:32 [18295]: Flag setting for this opcode is 18.
    INFO Mar 10 09:22:33 [18295]: Opcode response: status:200
    INFO Mar 10 09:22:33 [18295]: Authentication Successful
    INFO Mar 10 09:22:33 [18295]: Start Set Handler,Component : User
    ERROR Mar 10 09:22:33 [18295]: Key:ISCrEntity is not found in RequestMap File for User.
    WARNING Mar 10 09:22:33 [18295]: Transaction id is missing of for the component : <User>.
    ERROR Mar 10 09:22:33 [18295]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:33 [18295]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:33 [18295]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:33 [18295]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:33 [18295]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:33 [18295]: Flag setting for this opcode is 16.
    INFO Mar 10 09:22:34 [18364]: Start Login Handler,Component : Login
    ERROR Mar 10 09:22:34 [18364]: Key:ISCrEntity is not found in RequestMap File for Login.
    INFO Mar 10 09:22:34 [18364]: Mapping file for Login component is /_conf/csc/IOMappingFiles//1800.1/Login/Login.xml
    ERROR Mar 10 09:22:34 [18364]: Flag setting for this opcode is 18.
    INFO Mar 10 09:22:35 [18364]: Opcode response: status:200
    INFO Mar 10 09:22:35 [18364]: Authentication Successful
    INFO Mar 10 09:22:35 [18364]: Start Set Handler,Component : User
    ERROR Mar 10 09:22:35 [18364]: Key:ISCrEntity is not found in RequestMap File for User.
    WARNING Mar 10 09:22:35 [18364]: Transaction id is missing of for the component : <User>.
    ERROR Mar 10 09:22:35 [18364]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:35 [18364]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:35 [18364]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:35 [18364]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:35 [18364]: type != const in logicaloperator.So string comparision is done.
    ERROR Mar 10 09:22:35 [18364]: Flag setting for this opcode is 16.
    INFO Mar 10 09:22:36 [18364]: Opcode response: status:500
    INFO Mar 10 09:22:36 [18364]: End SET Handler, Status : Success, Component : User, Transaction : NONE, Operation : add.
    MESSAGE Mar 10 09:22:36 [18364]: ENTITY 'User' IMPORT Success
    INFO Mar 10 09:22:36 [18364]: Command:/scripts/apiparser_generate_tar.sh /sdisk/api-1583828554553279.txt /sdisk/API-1583828554553279 /sdisk/APIXMLOutput/1583828554210.xml /sdisk/API-1583828554553279.tar /sdisk/API-1583828554553279.log 0 status:3
    INFO Mar 10 09:22:36 [18364]: No need to create Tar file. Response file is /sdisk/APIXMLOutput/1583828554210.xml

    This is the /log/applog.log:

    Mar 10 09:35:13 apiInterface:versionsupported: true.
    Mar 10 09:35:13 apiInterface:request mode -> 147.
    Mar 10 09:35:13 apiInterface:Current ver :::'1800.1'
    Mar 10 09:35:13 apiInterface:entityjson::::::::identity::user=HASH(0xa1b9960)
    Mar 10 09:35:14 Info:: Transaction will not be rolled back for opcode add_admin. If any operation fails, request is part of multiple request :
    Mar 10 09:35:14 validation for web service API
    Mar 10 09:35:14 add_user: user user.name@dom.loc authserverid 1, local authserverid 1
    Mar 10 09:35:14 API-Parser /sdisk/api-1583829312728711.txt found.
    Mar 10 09:35:14 API-Parser /sdisk/api-1583829312728711.txt size = 0 && script is invoked by api_parser

     

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ben@Network

    What about downloading the User via XML (Import / Export). Which fields are there used? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    This is the XML-Export for the the user (actually imported from a csv-file):

     

    <User transactionid="">
    <Username>user.name@dom.loc</Username>
    <Name>user.name</Name>
    <Password passwordform="encrypt">#encr_password#</Password>
    <Description/>
    <UserType>Administrator</UserType>
    <EmailList>
    <EmailID>user.name@dom.de</EmailID>
    </EmailList>
    <Group>AdminUsers</Group>
    <SurfingQuotaPolicy>Unlimited Internet Access</SurfingQuotaPolicy>
    <AccessTimePolicy>Allowed all the time</AccessTimePolicy>
    <DataTransferPolicy/>
    <QoSPolicy/>
    <SSLVPNPolicy>No Policy Applied</SSLVPNPolicy>
    <ClientlessPolicy>No Policy Applied</ClientlessPolicy>
    <Status>Active</Status>
    <L2TP>Enable</L2TP>
    <PPTP>Enable</PPTP>
    <CISCO>Disable</CISCO>
    <QuarantineDigest>Disable</QuarantineDigest>
    <MACBinding>Enable</MACBinding>
    <LoginRestriction>AnyNode</LoginRestriction>
    <ScheduleForApplianceAccess>All The Time</ScheduleForApplianceAccess>
    <LoginRestrictionForAppliance>AnyNode</LoginRestrictionForAppliance>
    <IsEncryptCert>Disable</IsEncryptCert>
    <SimultaneousLoginsGlobal>Enable</SimultaneousLoginsGlobal>
    <Profile>Administrator</Profile>
    <L2TPIp/>
    <PPTPIp/>
    </User>

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Ben@Network

    Hello LuCar Toni,

    I was able to import the user with this xml-File. Next I used this xml-File in my script and I was able to create the user:

    • With this request the 'transactionid' in the User-Tag is required.
    • Also the Password-Tag must be filled, in my case I used the Username as password (When the user logs in the firewall uses AD-Password).

    In my script for importing the other objects the 'transactionid' is not required, very strange…

     

    This are the decisive tags for the ‘User’:

    <User transactionid="">

    <Password>user.name</Password>

     

    Cheers,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • +1 in reply to Ben@Network

    Hello LuCar Toni,

    I was able to import the user with this xml-File. Next I used this xml-File in my script and I was able to create the user:

    • With this request the 'transactionid' in the User-Tag is required.
    • Also the Password-Tag must be filled, in my case I used the Username as password (When the user logs in the firewall uses AD-Password).

    In my script for importing the other objects the 'transactionid' is not required, very strange…

     

    This are the decisive tags for the ‘User’:

    <User transactionid="">

    <Password>user.name</Password>

     

    Cheers,

    Ben

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML